Caucasian conflagration has some wider lessons for online security.

Share this story

On October 24, the country of Georgia took an unusual step: it posted to the Web a 27-page writeup (PDF), in English, on how it has been under assault from a hacker allegedly based in Russia. The paper included details of the malware used, how it spread, and how it was controlled. Even more unusually, the Georgians released pictures of the alleged hacker—taken with his own webcam after the Georgians hacked the hacker with the help of the FBI and others.

The story itself, which we covered briefly earlier this week, is fascinating, though it remains hard to authenticate and is relayed in a non-native English that makes for some tough reading. But what caught my eye about the whole cloak-and-dagger tale is the broader points it makes about hacking, jurisdiction, and the powerful surveillance devices that our computers have become.

It's also an example of how hacks and the alleged hackers behind them today play an increasing role in upping geopolitical suspicions between countries already wary of one another. Georgia and Russia have of course been at odds for years, and their conflict came to a head in a brief 2008 war; Russia still maintains a military presence in two tiny breakaway enclaves that Georgia claims as its own.

But first, the backstory.

Targeted strike

The attack itself was highly targeted. The hacker behind it began by infiltrating various news sites within Georgia, then modified only specific pages within those sites most likely to cover topics like NATO, the Georgian military, and US-Georgia relations. These modified pages included a "script" tag in their HTML code which pointed to a remote IP address serving up the inconspicuously named "frame.php." Anyone visiting the page would automatically have their Web browser execute the script, which served up a crypted version of the malware installation tool TrojanDownloader:JS/SetSlice. The code used known vulnerabilities in Windows to instigate a "drive-by download" in which a user's browser would download and execute a file called "calc.exe" without throwing up an alert.

A Georgian news website showing the added script code.

Instead of launching a calculator, calc.exe scanned the computer it was on to see if it was located in the UTC+3 or UTC+4 time zones, which includes Eastern Europe all the way to Moscow. The malware would only install on computers within those regions (though this restriction was lifted in later versions). Calc.exe then injected itself into explorer.exe and also created a file called usbserv.exe—the actual malware—and wrote that filename into the Windows registry so that it would autorun. Usbserv.exe then ran in the background, performing one basic task: scanning all Word, PDF, Excel, text, rich text format, and PowerPoint files for a list of keywords that included items like "NATO." Such files were copied and uploaded to command and control servers, where they were retrieved by parties unknown and then deleted.

The result was a specific strike, hitting only those machines which revealed a user's interest in news about issues related to the Georgian military, which used the Georgian language, and which were in the region. Over the course of a year, the malware only infected 390 computers, 70 percent of which were in Georgia. The majority of these were in government ministries, parliament, and banks.

The malware activity was first noticed in March 2011 by Georgia's Computer Emergency Response Team (CERT), which was modeled on similar teams in the US (and is now replicated in places like the Ukraine, Poland, and Germany). After figuring out how the malware worked, Georgia contacted the three main Internet providers in the country and had them block access to the command-and-control servers for the malicious code (these had been written into the malware's binary file and pointed to machines scattered across the US, Georgia, France, Germany, Hungary, and the Czech Republic; fallback mechanisms kept these blocks from being wholly effective, however).

The virus author tweaked his creation throughout 2011 to evade countermeasures. By September, the malware had a new infection mechanism and new tools for bypassing antivirus scanners and firewalls. By November, the malware had become more heavily encrypted and could infect Windows 7 as well. By December, it added the capability to record video from a user's screen, webcam, or microphone, and it could spread to other machines on the same network.

The malware even had its own API. According to security firm ESET, which looked at the software earlier this year, the API accepted 19 simple commands, including:

find [PATTERN]: Find file names containing the patterndir [FOLDER]: Directory listing of a folderload [URL]: Download the specified executable and add it to autorunupload [PATH]: Upload the specified file to the C&Cddos [DOMAIN]: Start a DDoS against a domainword [KEYWORDS]: Find Word documents containing one of the keywordsphoto: Take screenshots of the computer desktopaudio: Capture audio from microphonevideo: Capture video from webcampasswords: Steal browser passwords (Internet Explorer, Opera)

ESET also gained access to the malware's command console; when it did so, the malware was currently scanning for these search terms, in English:

After the discovery, CERT-GOV-GE (Georgia's CERT designation) worked with the FBI, US-CERT, and regional CERTs to identify all infected machines and to notify their owners. It also worked with security firms and with Microsoft to update malware scanners, and it went to the hosting companies which owned the main command-and-control servers and had those servers shut down. But beyond this, CERT-GOV-GE wanted to know who was responsible—and the group's suspicion focused on Russia. But how to get proof? CERT decided to hack the hacker.

The tables turn

CERT-GOV-GE had an infected computer in its lab, which it seeded with a .ZIP archive containing a file called "Georgian-NATO agreement." This was exactly the sort of thing likely to get exfiltrated by the malware, and it didn't take long before the file was winging its way through the tubes to one of the still-operating fallback command-and-control servers in Russia. The "Georgian-NATO Agreement" was, of course, a virus—the nature of which Georgia does not specify. But the hope was that the hacker would open the file to see if it was genuine, and when he did so, the virus would infect him and provide CERT-GOV-GE with direct access to his machine.

Let's be logical here though. A state sponsored spy working from a crappy apartment with a computer with a working webcam? NSA hardening recommendation have stated for years to disable cameras in laptops, I doubt other agency haven't applied the same kind of rules.

What happened to the control servers situated in friendly (NATO) countries?

I didnt see any correlation of an online personae to IRL person. No IRC handles, twitter/fb/weibo/alibaba/ebay were connected to an actual person other then a grainy picture of someone who looks like Borat. The article clearly states they dont know who this guy is.

Nitpicking aside, it's interesting that the Georgians revealed the info as opposed trying to go through prosecutorial channels. I'd be interested to read more about why the decision makers thought it was ok to tap foreign .gov's for the investigation and then cutting them loose once they had all the information collected.

It makes me wonder if investigators are savvy enough to find these people but the respective courts are still too byzantine to do anything useful with the info collected.

if a skilled hacker like the person behind the Georgia attacks can himself be so easily viewed with his own webcam... what hope do the rest of us have?

The answer is, of course, none.

Oh, it's perfectly possible to protect yourself against such problems but it typically isn't worth the trouble for the average user. Generally, people are surfing the probability wave, hoping they'll be lucky and won't catch anything that isn't handled by they security instead of really trying to bulletproof their systems. And generally, they are perfectly right to do so.

The interesting thing, here, seems to be that, even if we believe that these people are actually the ones who designed and orchestrated the attack, they clearly didn't do a very good job at protecting themselves: it looks like they didn't have even the most basic layers of protections that is (or should be) taken for granted in any sensitive environment: network isolation, using locked down machines for sensitive tasks, etc. Heck, it even sound like they where using the same machine for development and operation.

Frankly, while the attack may have used advanced hacking technics (and it really isn't clear that they weren't just script kiddies), this reeks of level of amateurism that you don't really expect from a state-sponsored operation. Of course, I am not at all "in the know" of the world of spies and state intelligence agencies so I might also simply be over-estimating the FSB computer warfare capabilities...

My parents found a wall papered ceiling hiding above the drop ceiling in their kitchen. The contractor found that that ceiling was 1/4" plywood attached to 1x2's; and when he ripped it down as to flimsy to support the drywall my parents wanted he discovered not one, but two live wires on separate circuits, were embedded in it. Now that's much scarier than just a layer of ugly wallpaper overhead.

Regarding the last paragraph of the story, perhaps Ars could answer this for us? Assuming it is a webcam with an LED "on" indicator, is there a software bypass that allows the webcam to capture images without the indicator light being on? I thought when Apple first started including these in laptops they stated there is a hard-wire connect that would only allow the webcam to work if the indicator light was already on.

Also, they should have given that guy a high-def webcam before hacking him- those pictures aren't super clear.

I didnt see any correlation of an online personae to IRL person. No IRC handles, twitter/fb/weibo/alibaba/ebay were connected to an actual person other then a grainy picture of someone who looks like Borat. The article clearly states they dont know who this guy is.

Nitpicking aside, it's interesting that the Georgians revealed the info as opposed trying to go through prosecutorial channels. I'd be interested to read more about why the decision makers thought it was ok to tap foreign .gov's for the investigation and then cutting them loose once they had all the information collected.

It makes me wonder if investigators are savvy enough to find these people but the respective courts are still too byzantine to do anything useful with the info collected.

There's more specific info in the report, including the address they seem to believe he worked from, his email address, his username, and possibly his own name. As I said in the piece, it's hard to know if any of this is accurate, so we didn't want to print it.

Damn they were hacked by Borat! I'm not being racist but come on you can't wear such a 'stach, live in an ex-communist country and not invite that kind of pronouncement. (Which by the way is a real testament to the effectiveness of Sasha Baron Cohen's comedy skills).

This is why I surf naked all the time. If they wanna photograph a 300 lb man with nipple rings made of baby doll heads, let em. I figure the shock and awe alone is enough to guarantee that unless they really are on the verge of suicide, they'd never click for that pic

In all seriousness though. All you need to do is find the right spots on the Internet, and you can buy damn near anything you want. So, the fact that this stuff is readily available out there, not a shocker.

Georgia took an interesting slant to it though. I dunno if posting the dude's picture is a huge deal, if he truly is in Russia and they won't extradite, then who cares. He's untouchable in that regard. It's like teasing a dog behind a 40ft high fence made of razor wire. No matter what the dog tries, it won't get to you, but likewise you won't get to it either.

What hacker wouldn't have precautions set up so that he couldn't be hacked in return? The hacker seems like someone with nothing better to so he whipped up some malware, and after each time it was thwarted he fixed it up a little, to keep the lulz coming.

This article is built on a premise that whatever the Georgians say is true (of course -- They may be bastards, but at least they are our bastards). They hacked the hacker happily hacking the "process of creating new malicious modules" out of his crappy apartment who had no idea his webcam got possessed by the Georgians. THe said hacker opens files he retrieves from the "enemy" computers without any precautions etc etc.

I think a much simpler explanation is in order –– the Georgians baked the whole story based on some true facts and added their own, the same way they dealt with the facts during Russian-Georgian war of 2008. Once a liar always a liar – the authors should check the credibility of such sources first.

I must agree that this does smell a lot like bovine feces. Even I, a modest IT consultant, unplug the webcam whenever I don't intend to use it.And even I can think of better ways nobody would ever trace my address/IP or whatever. Come on, go to any wifi hotspot. No government, no nothing. The whole story seems so unbelievable that it looks like it's engineered by the same guy who did "Enemy of the state" with their "zoom in, turn 140 degrees, look what's inside the bag, and enhance".

This is definitely another feeble attempt to discredit Russia. Isn't the first, won't be the last. I'm surprised they don't get slapped by the global community for these dirty child's games

Regarding the last paragraph of the story, perhaps Ars could answer this for us? Assuming it is a webcam with an LED "on" indicator, is there a software bypass that allows the webcam to capture images without the indicator light being on? I thought when Apple first started including these in laptops they stated there is a hard-wire connect that would only allow the webcam to work if the indicator light was already on.

Also, they should have given that guy a high-def webcam before hacking him- those pictures aren't super clear.

In certain webcams, specially older models, the LED light is always on as a signal that it is properly connected and configured.

As for the Georgians, I guess that't the best they could after Russia wiped the floor with them in 2008.

This article is built on a premise that whatever the Georgians say is true (of course -- They may be bastards, but at least they are our bastards). They hacked the hacker happily hacking the "process of creating new malicious modules" out of his crappy apartment who had no idea his webcam got possessed by the Georgians. THe said hacker opens files he retrieves from the "enemy" computers without any precautions etc etc.

I think a much simpler explanation is in order –– the Georgians baked the whole story based on some true facts and added their own, the same way they dealt with the facts during Russian-Georgian war of 2008. Once a liar always a liar – the authors should check the credibility of such sources first.

This was discussed in the article: "In all such cases, especially those in which sensitive episodes are talked about publicly, care has to be taken before putting too much credence in the tale. We have no reason to believe that Georgia is wrong in its analysis, but it pays to be aware of the ways that publicizing alleged attacks can be used for domestic political ends or to influence external geopolitical actors. Even if both motives are absent, some information might simply be incorrect or misinterpreted. In the murky world of international hacks, even attempts at transparency can be difficult."

The point here isn't so much what happened, but the fact the a state would release this kind of data, and why it might do so.

Also - seeing as how Georgia and Russia have been at odds with each other for quite some time now - not too suprised over this and Russia is probably praising the hacker for his efforts. Probably flogging him for being busted tho.

stiltner wrote:

This is why I surf naked all the time. If they wanna photograph a 300 lb man with nipple rings made of baby doll heads, let em. I figure the shock and awe alone is enough to guarantee that unless they really are on the verge of suicide, they'd never click for that pic

Georgia took an interesting slant to it though. I dunno if posting the dude's picture is a huge deal, if he truly is in Russia and they won't extradite, then who cares.

LMAO to yore first paragraph.

Odds are good that Georgia and Russia will not be cooperating with each other in the same manner that the UK and the US do with copyright infringers.

if a skilled hacker like the person behind the Georgia attacks can himself be so easily viewed with his own webcam... what hope do the rest of us have?

The answer is, of course, none.

Other than turning your webcam off when you're not using it? I think competent build laptops has a hardware (not software) switch that does that. And webcams for desktops often comes with a shield. (edit: well, that obviously wouldn't help you when you're actually using your webcam for communication, which might well be the content a hacker is after)

Dunno how I'd protect myself from anyone taking over my Nexus 7, other than the viruskiller I have installed and keeping my OS and software up to date.

---

I too think Georgia wants to portray this as Russia attacking them as a state, and not some Borat dude, who ramdomly upgrades his malware.

Also, his webcam sucks, couldn't they have gotten better pictures? Though his apartment does look typical Soviet era.

Let's be logical here though. A state sponsored spy working from a crappy apartment with a computer with a working webcam? NSA hardening recommendation have stated for years to disable cameras in laptops, I doubt other agency haven't applied the same kind of rules.

If Georgia's story is true, then while the software itself might have been developed in-house it's quite likely that the management of the incursion was farmed out to an 'independent' operator working well outside official FSB channels. This would afford a measure of deniability. The Borat-lookalike in the pictures is probably little more than a script-kiddie working to order and not getting paid all that much.

Let's be logical here though. A state sponsored spy working from a crappy apartment with a computer with a working webcam? NSA hardening recommendation have stated for years to disable cameras in laptops, I doubt other agency haven't applied the same kind of rules.

What happened to the control servers situated in friendly (NATO) countries?

I lean toward the idea that the hacker is a minion working for the state and not the inventor or main driver of the hacking.

The entire complicated story also raises one truly basic question: if a skilled hacker like the person behind the Georgia attacks can himself be so easily viewed with his own webcam... what hope do the rest of us have?

grstanford wrote:

A lump of blu-tak over the webcam lens when not in active use works quite nicely.

I bet a little piece of masking tape or, better yet, blue painter's tape would do the job just fine, too. On my next-to-last laptop, I moved the little EnergyStar decal a few inches to the right: problem solved. I haven't done anything to my new laptop 'cause of the proximity of the webcam to the ThinkLight but this article is making me a little paranoid.

This was discussed in the article: "In all such cases, especially those in which sensitive episodes are talked about publicly, care has to be taken before putting too much credence in the tale. We have no reason to believe that Georgia is wrong in its analysis, but it pays to be aware of the ways that publicizing alleged attacks can be used for domestic political ends or to influence external geopolitical actors. Even if both motives are absent, some information might simply be incorrect or misinterpreted. In the murky world of international hacks, even attempts at transparency can be difficult."

The point here isn't so much what happened, but the fact the a state would release this kind of data, and why it might do so.

This disclaimer is a feeble attempt at making this piece sound "objective". Think about what a layman takes away from the gist of this piece –– certainly not this boilerplate. This material raised much more interesting and deeper issues, which you leave untouched. Why and how the US security is allegedly behind this, how this activity is connected to the US's own practices (stuxnet). Why the Georgian report was published now that Saakashvili is out of the office, and so there is a hope in improving the Russian-Georgian relations.

Regarding the last paragraph of the story, perhaps Ars could answer this for us? Assuming it is a webcam with an LED "on" indicator, is there a software bypass that allows the webcam to capture images without the indicator light being on? I thought when Apple first started including these in laptops they stated there is a hard-wire connect that would only allow the webcam to work if the indicator light was already on.

Also, they should have given that guy a high-def webcam before hacking him- those pictures aren't super clear.

I was #11 in the plus to this quote and came here to say the exact same thing. I'd love to see an Ars article on the basics of how to protect thyself, short of just not turning your computer on

The Georgian malware, like the hacker's own malware, could also watch the user's screen and snap pictures from a connected webcam. Soon enough, Georgian authorities say they "captured [the hacker in] the process of creating new malicious modules" for his malware system.

This is particularly important if you use a laptop at your office. All sorts of interesting information could be gleaned by a hacker intent on industrial espionage listening in on your side of phone calls or cubicle discussions.

Something else that many might not be aware of is that if you have Google Voice installed (for making phone calls in Gmail), Google Search actively listens to your microphone for voice input to launch searches (a microphone icon appears in the search box when enabled).

I used to think I was being silly--it's not like I've ever had virus trouble in the past--but placing a blackout sticker over the webcam of every new laptop I get feels more and more justified as time passes.

taken with his own webcam after the Georgians hacked the hacker with the help of the FBI and others.

If the FBI's charter only allows them to operate domestically then why does it seem they are constantly in international news ?

I think you are confused. Nothing prevents the FBI from working outside the country. The legal restrictions are the other way around, preventing the *CIA* from spying on Americans domestically (in theory, since 911 it has gotten blurrier). But the FBI helps overseas all the time, and even has a web site page describing its international operations, there is no secret there at all: http://www.fbi.gov/about-us/international_operations